Consumer and legal groups say New Zealand’s biometrics code still has deficiencies

New Zealand’s consumer and legal groups have highlighted concerns over the country’s upcoming draft biometrics code, including the removal of the consent safeguard and insufficient oversight.

The Privacy Commissioner is currently conducting an open consultation on the Privacy Code of Practice for Biometrics, designed to fill a gap in New Zealand’s regulatory landscape and address public concerns over the introduction of facial recognition in places such as retail stores.

Non-profit group Consumer NZ, however, says that the current draft is missing a privacy safeguard connected to the authorization for biometric processing and the ability to opt out.

“This safeguard reinforces the importance of consent,” the group says. “In our previous submission, we highlighted concerns that individuals may lack understanding of the technology used in biometric processing which impacts their ability to provide genuine consent. This provision bolstered the requirement of not only awareness of the collection but explicit consent to it.”

In its submission published in March, Consumer NZ recommended that the safeguard be reinstated. The organization also noted that it is important not to create an exhaustive list of privacy safeguards and to list safeguards in the biometric code itself instead of its guidance.

“In our view, the Code sends a strong message that the rules need to be complied with,” the group says.

The New Zealand Law Society, on the other hand, has focused on other aspects of the Biometrics Code. In its submission, the organization lists several unresolved concerns, including insufficient independent oversight and allowing organizations processing biometric information to make subjective decisions.

“An organization processing biometric information will make their own, subjective assessment of the multiple matters set out in Rule 1,” the group says. “This concern is compounded by the absence of any complaint mechanism other than those for which the Privacy Act already provides.”

Rule 1 of the Privacy Code of Practice for Biometrics is connected to purposes for collecting biometric information.

In February, local media reported that the government of New Zealand has been reviewing the Privacy Act 2020 to identify legal barriers to the use of facial recognition surveillance to prevent retail crime. Critics, however, have suggested the government could be using the review to stall the introduction of the Privacy Code of Practice for Biometrics.

Unlike the Privacy Act which sets out general guidelines, the new Code will be used to regulate the use of biometric data in more detail, including in facial recognition applications.

Article Topics

biometric identifiers  |  biometrics  |  data privacy  |  data protection  |  New Zealand  |  New Zealand Privacy Commissioner  |  regulation